TWI745227B - Communication system and communication method for performing third party authentication between home service and foreign service - Google Patents

Abstract

Provided is a communication system for executing a third-party authentication between a home service terminal and a foreign service terminal, wherein the home service terminal and the foreign service terminal can be selected from a cloud, an edge or a fog. The communication system includes a control module and a plurality of operating modules that are configured in a universal proxy, wherein the universal proxy performs communication with a cloud via a cloud relay, performs communication with an edge via an edge relay, and performs communication with a fog via a fog relay. The control module selects two of the operating modules to execute the third-party authentication according to the types of the home service terminal and the foreign service terminal.

Description

Communication system and method for third-party authentication between original server and foreign server

The present invention relates to the field of communication technology, especially the field of communication authentication technology.

With the development of communication technology, cloud communication services have become widely known, and fog communication services have gradually emerged. However, the speed of cloud communication and fog-end communication is usually not as fast as that of local telecommunication services (or called edge services). Therefore, when users need high-frequency bandwidth or low-latency transmission quality, they still need to use the local operators. Telecommunications services provided. At present, if users want to use cloud services, fog services, and border services, they must not only have an account on the cloud, but also must have an account on the fog or border, and they must switch accounts to use the three services, which will cause inconvenience. In addition, the current cloud, fog end, and boundary use different communication protocols, so it is difficult to communicate between the three systems.

In view of this, the present invention provides an improved communication system and communication method to solve the above-mentioned problems.

Based on the above objective, the present invention provides a communication system for performing a third-party authentication between the original server and the foreign server, where the types of the original server and the foreign server include cloud, border, or fog. The communication system includes: a control module and an operation module set in a general proxy server. The universal proxy server communicates with the cloud through the cloud forwarding terminal, communicates with the boundary through the boundary forwarding terminal, and communicates with the fog terminal through the fog terminal. Among them, the control module selects at least two of the operation modules for third-party authentication according to the types of the original server and the foreign server.

In addition, the present invention also provides a communication method that is executed through a communication system to perform third-party authentication between the original server and the foreign server. The types of the original server and the foreign server include cloud, border, or fog, and communication The system includes a control module and an operation module. The communication method includes the steps: using the control module, according to the type of the original server and the foreign server, select at least two of the operation modules for third-party authentication; wherein the control module and the operation module are set on the general proxy server And the universal proxy server communicates with the cloud through the cloud forwarding terminal, communicates with the boundary through the boundary forwarding terminal, and communicates with the fog terminal through the fog terminal.

Hereinafter, the implementation mode and operation principle of the present invention will be described through a number of embodiments. Those with ordinary knowledge in the technical field of the present invention can understand the features and effects of the present invention through the above-mentioned embodiments, and can make combinations, modifications, substitutions or transfers based on the spirit of the present invention.

The term "connected" referred to herein includes direct connection or indirect connection, etc., and is not limiting. The terms "when..." and "...when" in this article mean "now, before or after", and are not limiting.

The ordinal numbers used in this article, such as "first", "second", etc., are used to modify the request element, and it does not imply and represent that the request element has any previous ordinal number, nor does it represent a request The order of the element and another request element, or the order in the manufacturing method, the use of these ordinal numbers is only used to clearly distinguish a request element with a certain name from another request element with the same name.

When multiple functions (or elements) are described herein, if the word "or" is used between multiple functions (or elements), it means that the functions (or elements) can exist independently, but it does not exclude multiple functions (or elements). ) Can exist at the same time, in other words, as long as the description is reasonable, the word "or" includes the state of "and".

In order to make the description of this text concise, if the element of the present invention has the English abbreviation commonly used by those skilled in the art, the element will be directly referred to in its English abbreviation except for its Chinese name when it is mentioned for the first time. To represent.

FIG. 1 is a system architecture diagram of a communication system 1 according to an embodiment of the present invention. As shown in Fig. 1, the communication system 1 of the present invention can execute the third-party authentication between the original server (home) and the foreign server (foreign) through a control module 21 of a universal proxy server 2, where the original The server can be a cloud server (cloud) 3a (hereinafter referred to as the original cloud 3a), an edge server (edge) 4a (hereinafter referred to as the original boundary 4a) or a fog end server (fog) 5a (hereinafter referred to as the original fog) Terminal 5a), and the foreign server can be a cloud server 3b (hereinafter referred to as foreign cloud 3b), a boundary server 4b (hereinafter referred to as foreign boundary 4b) or a fog terminal server 5b (hereinafter referred to as foreign fog terminal 5b) . The purpose of the present invention is to enable the account of the original server to directly use the services of the foreign server without having to register with the foreign server. The original server can be defined as the registered server for the account, and the foreign server can be defined as the account The server that has not yet been registered. The account of the original server can obtain various communication services provided by the original server or a foreign server through a user device 6.

In one embodiment, the communication system 1 of the present invention may include the hardware equipment of the universal proxy server 2 and at least a part of software. In another embodiment, the communication system 1 of the present invention may include at least a part of the software of the proxy server 2, for example, only the control module 21.

In one embodiment, the user equipment 6 may be, for example, an electronic device with Internet of Things (IoT) functions, such as a notebook computer, a tablet computer, a desktop computer, a smart phone, and various smart portable devices. Etc., and not limited to this.

In one embodiment, the original cloud 3a and the foreign cloud 3b can be, for example, the communication service systems of different e-commerce companies such as Google (Google), Amazon (Amazon), and T-Mobile, and the services of the original cloud 3a and the foreign cloud 3b can be For example, various cloud services provided by these e-commerce companies, such as infrastructure as a service (IaaS), software as a service (SaaS) or platform as a service (PaaS) Etc., and not limited to this. In addition, the original border 4a and the foreign border 4b can be, for example, communication service systems of different telecommunications companies, such as Chunghwa Telecom (Hinet), FETnet, AT&T mobile, T-Mobile or Wei The services of the original border 4a and the foreign border 4b are services provided by various telecom operators, such as the third generation partnership project (3GPP), the third generation mobile communication technology ( third generation (3G), fourth generation (4G) or fifth generation (5G), but not limited to this. In addition, the original fog terminal 5a and the foreign fog terminal 5b can be different fog computing communication service systems, such as Veniam, Embotech GmbH, Shield AI, SONM, FogHorn Systems, etc., and are not limited thereto.

In one embodiment, the communication protocol used by the original cloud 3a and the foreign cloud 3b is open identify connect (OIDC). In order to perform OIDC related authentication, the original cloud 3a and the foreign cloud 3b can each include an open identify provider (IdP), a relay component (relying party, RP), and/or a data endpoint. (information endpoint) (not shown in the figure). IdP, RP, and data endpoints are already known to those skilled in the art, so the details will not be described in detail.

In an embodiment, the communication protocol used by the original boundary 4a and the foreign boundary 4b is 3GPP, and the evolved packet system (evolved packet system, EPS-AKA) is used as its authentication mechanism. In order to perform EPS-AKA related certification, the original boundary 4a and the foreign boundary 4b each include a mobility management entity (mobility management entity, hereinafter referred to as MME) and/or a home subscriber server (hereinafter referred to as HSS) (Figure Not shown). The MME and HSS are technical contents known to those skilled in the art, so the details will not be described in detail.

In one embodiment, the communication protocol used by the original fog terminal 5a and the foreign fog terminal 5b may be OIDC or IEEE 802.1x (hereinafter referred to as 802.1x directly). When the original fog terminal 5a and the foreign fog terminal 5b use OIDC, in order to perform OIDC related certification, the original fog terminal 5a and the foreign fog terminal 5b may include IdP, RP, and/or data endpoints (not shown in the figure). When the original fog terminal 5a and the foreign fog terminal 5b use 802.1x, in order to perform 802.1x-related authentication, the original fog terminal 5a and the foreign fog terminal 5b may include an authentication server (AS) and/or a storage Take the node (access point, AP) (not shown in the figure). AS and AP are technical contents known to those skilled in the art, so the details will not be described in detail.

In addition, for the convenience of explanation, the following text about the original server account that wants to use the cross-border service of the foreign server through the user device 6 will be directly expressed in the form of "home-to-foreign", for example, when the original cloud 3a When the account wants to use the unregistered foreign border 4b service, the cross-border service will be directly expressed as "cloud-to-edge"; and when the original cloud 3a account wants to use the unregistered foreign fog terminal 5b service If the communication protocol used by the fog terminal 5b in the field is OIDC, the cross-border service will be directly expressed as "cloud-to-fog (OIDC)". Please follow the analogy for other situations. Accordingly, the cross-border services that the communication system 1 of the present invention can support include at least cloud-to-edge, cloud-to-fog (OIDC), cloud-to-fog (802.1x), cloud-to-cloud, edge- to-edge, edge-to-fog(OIDC), edge-to-fog(802.1x), edge-to-cloud, fog(OIDC)-to-edge, fog(OIDC)-to-fog(OIDC), fog(OIDC)-to-fog(802.1x), fog(OIDC)-to-cloud, fog(802.1x)-to-edge, fog(802.1x)-to-fog(OIDC), fog(802.1x) -to-fog(802.1x) and fog(802.1x)-to-cloud. In addition, the present invention can also be expanded to support more communication service systems with different communication protocols.

As shown in Figure 1, in order to realize the third-party authentication of various cross-border services, the communication environment of the communication system 1 of the present invention can be a general proxy server 2, at least one original server (original cloud 3a, original boundary 4a, and/or original Fog end 5a), at least one home relay (cloud forwarding end 7a, border forwarding end 8a, and/or fog end forwarding end 9a), at least one foreign server (foreign cloud 3b, foreign border 4b, and/or A foreign fog terminal 5b), at least one and a foreign relay (cloud relay 7b, border relay 8b and/or fog relay 9b) and user equipment 6 are implemented. Further, each communication path between each server (original and foreign) and the universal proxy server 2 is provided with a forwarding end to forward the message between the server and the universal proxy server 2, where the original The type of forwarding end can include a cloud relay (hereinafter referred to as CR) 7a, an edge relay (hereinafter referred to as ER) 8a, or a fog relay (hereinafter referred to as FR) 9a. The type of the forwarding terminal may include a CR (cloud forwarding terminal) 7b, an ER (boundary forwarding terminal) 8b, or an FR (fog terminal forwarding terminal) 9a.

It should be noted that the communication system 1 of the present invention can operate in the case of a single original server and a single foreign server, or in a case of multiple original servers and multiple foreign servers.

In addition, the communication system 1 further has a plurality of operation modules 22-28. The operation modules 22-28 can be set in the universal proxy server 2, wherein the control module 21 can control the operation modules 22-28 to perform operations required for third-party authentication of various cross-border services. In addition, the control module 21 can select at least two of the operation modules 22-28 according to the types of the original server and the foreign server to perform the operations required for third-party authentication; in other words, different cross-border services need to use different The operation modules 22~28.

In one embodiment, the types of operating modules 22-28 may include a virtual open identify provider (vIdP) 22, a virtual user equipment (vUE) 23, a Virtual mobility management entity (vMME) 24, a virtual relying party (vRP) 25, a virtual user (vUSER) 26, a virtual home subscription A virtual home subscriber server (virtual home subscriber server, hereinafter referred to as vHSS) 27 and a virtual authentication server (hereinafter referred to as vAS) 28. For the convenience of explanation, the English abbreviation will be used to directly represent each operation module in the following. In addition, as long as it is achievable, the operating modules 22-28 in the universal proxy server 2 can be increased or decreased arbitrarily according to requirements.

In one embodiment, the control module 21 may be a control chip of the general proxy server 2. In another embodiment, the control module 21 may be a microprocessor or a microcontroller of the general proxy server 2. The computer program product (software) or firmware being executed. In one embodiment, the operating modules 22-28 can be implemented by hardware components in the universal proxy server 2 with software or firmware. In another embodiment, the operating modules 22-28 are software or firmware. itself. When the control module 21 and the operation modules 22-28 are both software, the control module 21 and the operation modules 22-28 can be integrated together. For example, the control module 21 is the main program, and the operation module 22~ 28 is a subroutine. The present invention is not limited to this. In this way, the implementation of the control module 21 and the operation modules 22-28 can be understood.

Next, the functions of operation modules 22-28 are described:

vIdP (Virtual Identity Provider) 22: can be used to communicate with a foreign server using OIDC, for example, it can communicate with a foreign cloud 3b through CR 7b, or communicate with a foreign fog terminal 5b using OIDC through FR 9b.

vUE (Virtual User Equipment) 23: can be used to communicate with the original server boundary 4a, for example, it can communicate with the MME of the original boundary 4a through the ER 8a.

vMME (Virtual Mobility Management Element) 24: can be used to communicate with the vHSS 27 of the universal proxy server 2, or can be used to communicate with the original server boundary 4a, for example, it can communicate with the HSS of the original boundary 4a through ER 8a.

vRP (Virtual Relay Component) 25: It can be used to communicate with the original server using OIDC, for example, it can communicate with the IdP of the original cloud 3a through CR 7a, or it can communicate with the IdP of the original fog terminal 5a through FR 9a.

vUSER (virtual user) 26: can be used to communicate with the original server using OIDC and 802.1x, for example, it can communicate with the data endpoint of the original cloud 3a through CR 7a, or can communicate with the data of the fog terminal 5a through FR 9a The endpoint communicates.

vHSS (Virtual Home Subscriber Server) 27: It can be used to communicate with the vMME 24 of the Universal Proxy Server 2, or it can be used to communicate with a foreign server using 3GPP, such as communicating with the MME on the foreign border 4b through ER 8b .

vAS (Virtual Authentication Server) 28: It can be used to communicate with a foreign server that uses the 802.1x protocol, for example, it can communicate with the AS of the foreign fog terminal 5b through FR 9b.

In addition, according to the difference between the original server and the foreign server, the control module 21 will use different operation modules to perform third-party authentication. FIG. 2(A) is a schematic diagram of the operation modules corresponding to the original server and the foreign server according to an embodiment of the present invention.

As shown in Figure 2(A), when the cross-border service is cloud-to-edge, the control module 21 activates vHSS 27 and vUSER 26.

When edge-to-edge, the control module 21 activates vHSS 27 and vMME 24.

When fog(OIDC)-to-edge, the control module 21 activates vHSS 27 and vUSER 26.

When fog(802.1x)-to-edge, the control module 21 activates vHSS 27 and vUSER 26.

During cloud-to-cloud, the control module 21 activates vIdP 22 and vRP 25.

During edge-to-cloud, the control module 21 activates vIdP 22 and vUE 23.

When fog(OIDC)-to-cloud, the control module 21 activates vIdP 22, vRP 25, and vUSER 26.

When fog(802.1x)-to-cloud, the control module 21 activates vIdP 22 and vUSER 26.

In the case of cloud-to-fog (OIDC), the control module 21 activates vIdP 22 and vRP 25.

In the case of edge-to-fog (OIDC), the control module 21 activates the vIdP 22 and vUE 23.

When fog(OIDC)-to-fog(OIDC), the control module 21 activates vIdP 22, vRP 25 and vUSER 26.

When fog(802.1x)-to-fog(OIDC), the control module 21 activates vIdP 22 and vUSER 26.

In the case of cloud-to-fog (802.1x), the control module 21 activates vAS 28 and vUSER 26.

In the case of edge-to-fog (802.1x), the control module 21 activates vAS 28 and vUE 23.

When fog(OIDC)-to-fog(802.1x), the control module 21 activates vAS 28 and vUSER 26.

When fog(802.1x)-to-fog(802.1x), the control module 21 activates vAS 28 and vUSER 26.

It can be seen that the communication system 1 must recognize the type of cross-border service in order to activate the appropriate operation modules 22-28. Therefore, one of the technical focuses of the present invention is "how to identify the types of the original server and the foreign server". In order to allow the universal proxy server 2 to identify the types of the original server and the foreign server, and then perform different authentication procedures, the communication system 1 can execute a special communication method.

It should be noted that, in order to make the process simpler and clearer, the various process steps below may omit the step of forwarding messages between each server and the universal proxy server 2 through the forwarding end, but in fact the original server and the universal proxy server The message between 2 and the message between the foreign server and the general proxy server 2 must be forwarded through the corresponding forwarding terminal as an intermediate medium.

FIG. 2(B) is a flowchart of the steps of a communication method according to an embodiment of the present invention, and please refer to FIGS. 1 to 2(A) at the same time. As shown in Figure 2(B), when the account of the original server wants to use the account of the foreign server, the user device 6 sends a service request message to the foreign server, and the foreign server further sends the service request message to the general proxy server器2. When the universal proxy server 2 receives the service request message, step S1 is executed, and the control module 21 executes an initial phase procedure to establish the communication between the operation module 22-28 to be used and the corresponding forwarding terminal link. After step S2 is executed, the control module 21 executes an operation phase program to process the authentication process between the original server and the foreign server. In addition, the control module 21 can also execute an entity insertion and search creation process to create a search data form, where the search data form can record the information of the original server and the foreign server for use in the operation phase of the process. After the authentication of the original server and the foreign server is completed, the foreign server can provide services to the user equipment 6, so that the account of the original server can use the services of the foreign server. It should be noted that the sequence between the initial stage procedure, the operation stage procedure, and the entity insertion and search establishment procedure is only an example and not a limitation. For example, the initial stage procedure and the operation stage procedure can also be executed at the same time.

Next, the details of each program will be explained separately.

First, the details of the "initial stage program" will be explained. FIG. 3 is a step flow chart of the initial stage program of the communication method according to an embodiment of the present invention, and please refer to FIG. 1 to FIG. 2(B) at the same time.

First, step S11 is executed. The universal proxy server 2 receives a service request message sent by a server through a forwarding terminal.

Then step S12 is executed, and the control module 21 recognizes the type of the forwarding terminal. In one embodiment, the universal proxy server 2 can pre-record the connection path with each original forwarding end and foreign forwarding end. Therefore, the control module 21 only needs to match the current connection path with the pre-recorded data, namely The type of forwarding end can be identified.

When the control module 21 recognizes that the forwarding end is CR 7b, step S13(a) is executed, and the control module 21 activates the communication link between vIdP 22 and CR 7b, so that vIdP 22 can send and receive messages with CR 7b, and store Information about CR 7b. In one embodiment, the related information of the forwarding terminal (for example, CR 7b) may include assigned cloud ID (assigned cloud ID), cloud relay ID and mapping information (mapping information). In one embodiment, the control module 21 may receive service request messages from multiple CR 7b at the same time, so step S13(b) can be executed, and the control module 21 can determine whether the universal proxy server 2 receives other CR 7b If the transmitted service request message is received, step S13(a) is executed again, otherwise, the initial stage procedure is completed.

When the forwarding end is the ER 8b, step S14(a) is executed, and the control module 21 activates the communication link between the vHSS 27 and the ER 8b, so that the vHSS 27 can send and receive messages with the ER 8b, and store related information of the ER 8b. In one embodiment, step S14(b) can be executed, and the control module 21 can determine whether the general proxy server 2 has received the service request message sent by other ER 8b, and if so, execute step S14(a) again. ), otherwise complete the initial stage program.

When the forwarding terminal is FR 9b, since the communication protocol used by the corresponding foreign fog terminal 5b may be OIDC or 802.1x, step S15(a) is executed first, and the control module 21 identifies the communication protocol used by the foreign fog terminal 5b The method of identifying the communication protocol can be implemented, for example, by "trying to login". For example, if the login method is through an access point, the control module 21 can recognize that the communication protocol is 802.1x. If the login method is through a web page, the control module 21 can recognize that the communication protocol is OIDC.

When the communication protocol is OIDC, step S15(b) is executed, and the control module 21 group activates the communication link between the vIdP 22 and the FR 9b, so that the vIdP 22 can send and receive messages with the FR 9b, and store the relevant information of the FR 9b. After that, step S15(c) can be executed, and the control module 21 can determine whether the general proxy server 2 has received the service request message sent by other FR 9b, and if so, execute step S15(b) again, if not Upon receipt, the initial stage procedure will be completed.

When the communication protocol is 802.1x, step S15(d) can be executed, and the control module activates the communication link between vAS 28 and FR 9b, and stores the relevant information of FR 9b. After that, step S15(c) can be executed, and the control module 21 can determine whether the universal proxy server 2 has received the service request message sent by other FR 9b, and if so, execute step S15(d) again, otherwise, Complete the initial phase procedure. In this way, the details of the initial stage program can be understood.

Next, the details of the operation phase procedure will be explained. FIG. 4 is a flowchart of the main steps of the operation phase procedure of the communication method according to an embodiment of the present invention, and please refer to FIGS. 1 to 3 at the same time.

First, step S21 is executed, and the general proxy server 2 receives the service request message from the foreign forwarding terminal (CR 7b, ER 8b, FR 9b).

Then step S22 is executed, and the control module 21 recognizes the type of the foreign server according to the format of the service request message (for example, the communication protocol). In one embodiment, the types of service request messages may include a first format service request message, a second format service request message, and a third format service request message according to the distinction of communication protocols, where the first format service request message is Remote authentication dial in user service access request (hereinafter referred to as RADIUS access request), which can correspond to the communication protocol 802.1x; the second format of the service request message is the user equipment login request Message (user login request, hereinafter referred to as UE login request), which can correspond to the communication protocol 3GPP; the third format service request message is a client identity delivery authentication request message (authentication request passing client_id, hereinafter referred to as auth request passing client_id), which Can correspond to the communication protocol OIDC. The above message format is only an example, and the present invention is not limited to this.

When the service request message is the first format service request message (RADIUS access request), step S23(a) is executed, and the control module 21 activates the vAS 28 to receive the service request message, and causes the vAS 28 to enter the waiting state. In addition, step S23(b) is also executed. The control module 21 provides a login option to the user equipment 6 through the FR 9b and the foreign fog terminal 5b, so that the user equipment 6 can select the original server to perform authentication. Then step S24 is executed. The control module 21 executes a first user authentication procedure according to the login options returned by the user equipment 6. The first user authentication procedure is defined as when the foreign server is a foreign fog terminal using 802.1x At 5b, the authentication procedure required by the original server and the foreign server (also called user authentication for 802.1x fog). After the first user authentication procedure is completed, the foreign fog terminal 5b can provide services to the original server account.

When the service request message is the second format service request message (UE login request), step S25(a) is executed, and the control module 21 activates the vHSS 27 to receive the service request message, and causes the vHSS 27 to enter the waiting state. In addition, step S25(b) is also executed. The control module 21 provides a login option to the user equipment 6 through the ER 8b and the foreign border 4b, so that the user equipment 6 can select the original server for authentication. Then step S26 is executed. The control module 21 executes a second user authentication procedure according to the login options returned by the user equipment 6. The second user authentication procedure is defined as when the foreign server uses the boundary 4b of 3GPP, the original The authentication procedure (also called user authentication for 3GPP edge) required by the server and the foreign server. After the second user authentication process is completed, the foreign border 4b can provide services to the original server account.

When the service request message is the third format service request message (Auth Request passing client_id), step S27(a) is executed, and the control module 21 activates the vIdP 22 to receive the service request message. Since the OIDC authentication mechanism still requires the user equipment 6 to return the second format service request message (UE login request), the vIdP 22 will perform subsequent operations. Therefore, step S28 is executed and the control module determines whether the universal proxy server has received it. User device login request message.

If it is not received, the control module 21 stops the universal proxy server 6; if it is received, step S29 is executed, and the control module passes CR 7b and foreign cloud 3b (or FR 9b and foreign fog terminal 5b( The communication protocol is OIDC)) and the login option is provided to the user equipment 6.

Then step S30 is executed. The control module 21 executes a third user authentication procedure according to the login options returned by the user equipment 6, which is defined as when the foreign server is a foreign cloud 3b or a foreign fog terminal 5b using OIDC, The authentication process required by the original server and the foreign server, so the third user authentication process can also be called user authentication for OIDC cloud or OIDC fog terminal (also called user authentication for OIDC cloud/fog) . After the third user authentication process is completed, the foreign cloud 3b or the foreign fog terminal 5b can provide services to the original server account.

Next, the details of the first user authentication process, the second user authentication process, and the third user authentication process will be explained.

First, the first user authentication procedure (that is, the details of step S24) will be explained. FIG. 5 is a flowchart of the steps of the first user authentication procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.

As shown in FIG. 5, first step S241 is executed, and the universal proxy server 2 receives the login option returned by the user equipment 6.

When the user equipment 6 selects the original boundary 4a as the login option (that is, the original server is the original boundary 4a), step S242 is executed, and the control module 21 executes a first original server authentication subroutine A, namely When the original server is the foreign boundary 4a, the authentication procedure performed by the foreign boundary 4a (for details, please refer to Figure 8). When the first original server authentication subroutine A is completed, step S243 is executed, and the control module 21 executes a first foreign server authentication subroutine B, that is, when the foreign server is a foreign fog terminal 5b using 802.1x, The authentication process performed by the control module 21 and the foreign fog terminal 5b (for details, please refer to FIG. 9). After step S243 is completed, the edge-to-fog (802.1x) authentication can be completed, and the foreign fog terminal 5b can provide services to the account of the border 4a.

When the user equipment 6 selects the original cloud 3a as the login option (that is, the original server is the original cloud 3a), step S244 is executed, and the control module 21 executes a second original server authentication subroutine C. The second original server authentication subroutine C is defined as the authentication process performed by the control module 21 and the original cloud 3a (or the original fog terminal 5a) when the original server is the original cloud 3a or the original fog terminal 5a using OIDC (its For details, please refer to Figure 10). When the second original server authentication subroutine C is completed, step S245 is executed, and the control module 21 executes the first foreign server authentication subroutine B. When step S245 is completed, the cloud-to-fog (802.1x) authentication can be completed, and the foreign fog terminal 5b can provide services to the original cloud 3a account.

When the user equipment 6 selects the original fog terminal 5a as the login option (that is, the original server is the original fog terminal 5a), step S246 is executed, and the control module 21 confirms whether the communication protocol of the original fog terminal 5a is 802.1 x.

When the communication protocol of the original fog terminal 5a is 802.1x, step S247 is executed, and the control module 21 executes a third original server authentication subroutine D, that is, when the original server is the original fog terminal 5a using 802.1x , The authentication process performed by the control module 21 and the original fog terminal 5a (for details, please refer to FIG. 11). When step S247 is completed, step S249 is executed, and the control module executes the first foreign server authentication subroutine B. When step S249 is completed, fog (802.1x)-to-fog (802.1x) authentication can be completed, and the foreign fog terminal 5b using 802.1x can provide services to the account of the original fog terminal 5a.

When the communication protocol of the original fog terminal 5a is not 802.1x but OIDC, step S248 is executed, and the control module 21 executes the second original server authentication subroutine C. When step S248 is completed, step S249 is executed, and the control module executes the first foreign server authentication subroutine B. When step S249 is completed, fog (OIDC)-to-fog (802.1x) authentication can be completed, and the foreign fog terminal 5b using 802.1x can provide services to the account of the original fog terminal 5a.

In this way, the details of the first user authentication procedure can be understood.

Next, the details of the second user authentication procedure (that is, the details of step S26) will be described. FIG. 6 is a flowchart of steps of a second user authentication procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.

As shown in FIG. 6, first step S261 is executed, and the universal proxy server 2 receives the login option returned by the user equipment 6.

When the user equipment 6 selects the original boundary 4a as the login option (that is, the original server is the original boundary 4a), step S262 is executed, and the control module 21 executes a second foreign server authentication subroutine E. The second foreign server authentication subroutine E is defined as when the original server is the original boundary 4a, and the foreign server is the foreign boundary 4b, the control module 21, the original boundary 4a and the foreign boundary 4b need to perform the authentication procedures (its For details, please refer to Figure 12). When step S262 is completed and the EPS-AKA authentication required by the foreign border 4b is also completed, the edge-to-edge authentication can be completed, and the foreign border 4b can provide services to the account of the original border 4a. In an embodiment, the control module 21 can instruct the vHSS 27 to provide the authentication vector required for EPS-AKA authentication, and the foreign border 4b and the user equipment 6 will use the authentication vector to perform EPS-AKA authentication. For example, the foreign border 4b can issue an authentication challenge to the user equipment 6 according to the authentication vector, and the user equipment 6 can make an authentication response.

When the user equipment 6 selects the original cloud 3a as the login option (that is, the original server is the original cloud 3a), step S263 is executed, and the control module 21 executes a fourth original server authentication subroutine F. The fourth original server authentication subroutine F is defined as when the original server is the original cloud 3a or the original fog terminal 5a using OIDC, and the foreign server is the foreign boundary 4b, the control module 21 and the original cloud 3a (or original fog End 5a) the authentication procedure (for details, please refer to Figure 13). When step S263 is completed and the EPS-AKA authentication required by the foreign border 4b is also completed, the cloud-to-edge authentication can be completed, and the foreign border 4b can provide services to the account of the original cloud 3a.

When the user equipment 6 selects the original fog terminal 5a as the login option (that is, the original server is the original fog terminal 5a), step S264 is executed, and the control module 21 confirms whether the communication protocol of the original fog terminal 5a is 802.1 x.

When the communication protocol of the original server (fog terminal 5a) is 802.1x, step S265 is executed, and the control module 21 executes the third original server authentication subroutine D. When step S265 is completed and the EPS-AKA authentication required by the foreign border 4b is also completed (S266(a), S266(b), the fog(802.1x)-to-edge authentication can be completed, and the foreign border 4b can be The original fog terminal 5a (802.1x) account provides services.

When the communication protocol of the original fog terminal 5a is OIDC, step S267 is executed, and the control module 21 executes the fourth original server authentication subroutine F. When step S267 is completed and the EPS-AKA authentication required by the foreign border 4b is also completed, the fog (OIDC)-to-edge authentication can be completed, and the foreign border 4b can provide services to the account of the original fog terminal 5a (OIDC).

In this way, the details of the second user authentication procedure can be understood.

Next, the details of the third user authentication procedure (that is, the details of step S30) will be described. FIG. 7 is a flowchart of steps of a third user authentication procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.

As shown in FIG. 7, first step S301 is executed, and the universal proxy server 2 receives the login option returned by the user equipment 6.

When the login option is the original cloud 3a, step S302 is executed, and the control module 21 executes a fifth original server authentication subroutine G. The fifth original server authentication subroutine G is defined as the authentication process performed by the control module 21 and the original cloud 3a when the original server is the original cloud 3a, and the foreign server is a foreign cloud 3b or a foreign fog terminal 5b using OIDC (For details, please refer to Figure 14). When step S302 is completed, step S303(a) is executed, the control module 21 can provide an identify token to the vIdP 22, and then step S303(b) is executed, and the control module 21 instructs the vIdP 22 to authenticate the certificate Send to the foreign cloud 3b (or foreign fog terminal 5b), and the foreign cloud 3b (or foreign fog terminal 5b) can open permissions to the original cloud 3a account through the authentication certificate and provide services. With this, cloud-to-cloud/fog (OIDC) authentication can be completed.

When the login option is the original boundary 4a, step S304 is executed, and the control module executes the first original server authentication subroutine A. When step S304 is completed and S305(a)~S305(c) are executed, the control module 21 can create an authentication certificate and instruct vIdP 22 to send the authentication certificate to the foreign cloud 3b (or the foreign fog terminal 5b, the foreign cloud 3b( Or the foreign fog terminal 5b) can use the authentication certificate to open the authority to the account of the original boundary 4a. With this, the edge-to-cloud/fog (OIDC) authentication can be completed.

When the login option is the original fog terminal 5a, step S306 is executed, and the control module determines whether the communication protocol of the original fog terminal 5a is 802.1x.

If the communication protocol of the original fog terminal 5a is not 802.1x but OIDC, step S307 is executed, and the control module 21 executes a sixth original server authentication subroutine H. The sixth original server authentication subroutine H is defined as when the original server is the fog terminal 5a using OIDC, and the foreign server is a foreign cloud 3b or a foreign fog terminal 5b using OIDC, the control module 21 and the original fog terminal 5a Required certification procedures (please refer to Figure 15 for details). When the sixth original server authentication subroutine H is completed, the fog(OIDC)-to-cloud/fog(OIDC) authentication can be completed.

If the communication protocol of the original fog terminal 5a is 802.1x, S308 is executed, and the control module 21 executes the third original server authentication subroutine D. After the third original server authentication subroutine D, steps S309(a)~S309(c) can be executed. The control module 21 can create an authentication certificate and instruct the vIdP 22 to send the authentication certificate to the foreign cloud 3b (or foreign cloud). The fog terminal 5b), the foreign cloud 3b (or the foreign fog terminal 5b) can open the authority to the account of the original fog terminal 5a through the authentication certificate. With this, fog(802.1x)-to-cloud/fog(OIDC) authentication can be completed.

In this way, the details of the third user authentication procedure can be understood.

In addition, to make the description clearer, the following lists the cross-border services applicable to the first original server authentication sub-program A to the sixth original server authentication sub H.

The first original server authentication subroutine A can be applied to cross-border services such as edge-to-fog (802.1x), edge-to-cloud and edge-to-fog (OIDC), and is not limited to this.

The first foreign server authentication subroutine B can be applied to edge-to-fog (802.1x), cloud-to-fog (802.1x), fog (OIDC)-to-fog (802.1x) and fog (802.1x) -to-fog (802.1x) and other cross-border services, but not limited to this.

The second original server authentication subroutine C can be applied to cross-border services such as cloud-to-fog (802.1x) and (OIDC)-to-fog (802.1x), and is not limited to this.

The third original server authentication subroutine D can be applied to fog(802.1x)-to-fog(802.1x), fog(802.1x)-to-fog(OIDC), fog(802.1x)-to-edge, fog (802.1x)-to-cloud and other cross-border services, but not limited to this.

The second foreign server authentication subroutine E can be applied to cross-border services such as edge-to-edge, and is not limited to this.

The fourth original server authentication subroutine F can be applied to cross-border services such as cloud-to-edge and fog(OIDC)-to-edge, and is not limited to this.

The fifth original server authentication subroutine G can be applied to cross-border services such as cloud-to-cloud and cloud-to-fog (OIDC), and is not limited to this.

The sixth original server authentication subroutine H can be applied to cross-border services such as fog(OIDC)-to-cloud and fog(OIDC)-to-fog(OIDC), and is not limited to this.

Then the first original server authentication subroutine A to the sixth original server authentication sub H are applicable to the details. It should be noted again that the following steps of the process may omit the step of forwarding the message at the forwarding end, but in fact, each server and the universal proxy server 2 will forward the message through the forwarding end.

First, the first original server authentication subroutine A will be explained. FIG. 8 is a flowchart of the steps of the first original server authentication subroutine A according to an embodiment of the present invention, and please refer to FIG. 1 to FIG. 7 at the same time.

As shown in FIG. 8, first step A1(a) is executed, and the control module 21 activates the vUE 23. Then step A1(b) is executed, and the control module 21 converts the second format service request message (UE login request) from the user equipment 6 into an authentication request message. In one embodiment, the second format service request message may include an international mobile subscriber identity (IMSI) of the user equipment 6, and the converted authentication request message also includes IMSI information. Since the IMSI is provided by the original server, the original server can recognize whether the IMSI is legal.

Then step A2 is executed, the control module 21 instructs the vUE 23 to communicate with the original boundary 4a, and sends an authentication request message to the original boundary 4a. In one embodiment, when the original boundary 4a receives the authentication request message, it can identify whether the authentication request message IMSI is legal. When it is confirmed that the IMSI is valid, the HSS of the original border 4a can generate an authentication request response message, and the MME of the original border 4a can convert the authentication request response message into a verification challenge and send it back to the vUE 23. In one embodiment, the authentication request response message may include an authentication vector, and the authentication vector may include an expected response (XRES), an authentication value (AUTN), a random number (RAND), and a communication period key (Kasme). The verification challenge may include expected response (XRES), authentication value (AUTN), and random number (RAND), but is not limited to this.

Then step A3 is executed, and the control module 21 determines whether the vUE 23 receives the verification challenge returned by the original boundary 4a. If not received, perform step A2 again. If it is received, step A4 is executed, and the control module 21 instructs the vUE 23 to transmit the verification challenge to the user equipment 6. In one embodiment, the user equipment 6 may execute the EPS-AKA verification process according to the verification challenge, for example, generate a verification challenge response.

Then step A5 is executed, and the control module 21 determines whether the vUE 23 receives the verification challenge response returned by the user equipment 6. If not received, perform step A4 again. If it is received, step A6 is executed, and the control module 21 instructs the vUE 23 to send a verification challenge response to the MME of the original boundary 4a. The MME may determine whether the verification challenge response is correct. When the verification challenge response is correct, the boundary 4a may return a verification success message.

Therefore, step A7 is executed, and the control module 21 determines whether the vUE 23 receives the verification success message returned by the MME. If received, the first original server authentication subroutine A is completed, that is, the authentication required by the original boundary 4a has been completed, and then the authentication required by the foreign server can be performed, such as generating a foreign cloud 3b or a foreign fog terminal 5b (OIDC) required certificate authentication or the first foreign server authentication subroutine B required for the foreign fog terminal 5b (802.1x). If it is not received, step A8 is executed, and the universal proxy server 2 sends a verification failure message to the user equipment 6 and stops operation.

In this way, the details of the first original server authentication subroutine A can be understood.

Next, the details of the first foreign server authentication subroutine B will be explained. FIG. 9 is a flowchart of the steps of the first foreign server authentication subroutine B according to an embodiment of the present invention, and please refer to FIG. 1 to FIG. 7 at the same time.

As shown in FIG. 9, first step B1 is executed, and the control module 21 provides a user record to the vAS 28, and the user record may include data such as users credentials. Then B2 is executed. When the authentication of the original server is completed, the control module 21 instructs the vAS 28 to generate a remote authentication dial in user service access challenge (hereinafter referred to as a RADIUS challenge).

Then step B3 is executed, and the control module 21 instructs the vAS 28 to send the RADIUS challenge to the access node (AP) of the foreign fog terminal 5b (802.1x). When the access node receives the RADIUS challenge, the access node can convert the RADIUS challenge into an Extensible Authentication Protocol Request (Summary 5) message (extensible authentication protocol request/ Message-Digest Algorithm 5, EAP-req/) required for 802.1x authentication. MD5) and sent to the user device 6. The user equipment 6 can generate an Extensible Authentication Protocol (Digest 5) response (EAP response/MD5, EAP-res/MD5) according to the RADIUS challenge, and send it back to the access node. When the access node receives EAP-res/MD5 and confirms that it is correct, it can convert EAP-res/MD5 into a remote authentication dial-up user service access request (RADIUS access request, hereinafter referred to as RADIUS access request). And send RADIUS access request to vAS 28 of Universal Proxy Server 2.

Next, step B4 is executed, and the control module 21 determines whether the vAS 28 has received the transfer RADIUS access request. If not received, perform step B3 again. If it is received, step B5 is executed, and the control module 21 instructs vAS 28 to return a remote authentication dial-up user service access consent message (RADIUS access accept, hereinafter referred to as RADIUS access consent message) to the access node.

It should be noted that when the access node (AP) receives the RADIUS access consent message, the access node can send an extended authentication protocol success message (EAP-success) to the user device 6. At this time, the foreign fog terminal 5b (802.1x ) Can provide services to the user equipment 6 according to EAP-success.

In this way, the details of the first foreign server authentication subroutine B can be understood.

Next, the details of the second original server authentication subroutine C will be explained. FIG. 10 is a flowchart of the steps of the second original server authentication subroutine C according to an embodiment of the present invention, and please refer to FIGS. 1 to 9 at the same time.

As shown in FIG. 10, step C1 is executed, and the control module 21 generates a login message (including the account number and password of the account) of an account of the original cloud 3a or the original fog terminal 5a (OIDC), where the account and password information can be The service request message or authentication request message previously sent from the user equipment 6, but not limited to this.

Then step C2 is executed, and the control module 21 activates the vUSER 26. Then step C3 is executed, the control module 21 instructs the vUSER 26 to send a login message to the original cloud 3a or the original fog terminal 5a (OIDC), and verify whether the account and password are correct through the original cloud 3a or the original fog terminal 5a (OIDC).

Then step C4 is executed, and the control module 21 determines whether the vUSER 26 has received a login success message returned by the original cloud 3a or the original fog terminal 5a (OIDC). If not received, proceed to step C3 again. If it is received, the second original server authentication subroutine C is completed, and then the authentication required by the foreign server can be performed, such as the first foreign server authentication subroutine B.

In this way, the second original server authentication subroutine C can be understood.

Next, the details of the third original server authentication subroutine D will be explained. FIG. 11 is a flowchart of the steps of the third original server authentication subroutine D according to an embodiment of the present invention, and please refer to FIGS. 1 to 10 at the same time.

As shown in FIG. 11, first step D1 is executed, and the control module 21 activates the vUSER 26.

Then step D2 is executed, the control module 21 instructs the vUSER 26 to send an EAP over local area network (EAPOL start request) message to the AS of the original fog terminal 5a (802.1x).

Then step D3 is executed, and the control module 21 determines whether the universal proxy server 2 receives an extended authentication protocol request (identity) message (EAP-req/ID) returned by the original fog terminal 5a (802.1x).

If the EAP-req/ID is not received, perform step D2 again. If the EAP-req/ID is received, step D4 is executed, and the control module 21 controls the universal proxy server 2 to send the EAP-req/ID to the user equipment 6.

Then step D5 is executed, and the control module 21 determines whether the universal proxy server 2 has received an extended authentication protocol (identity) response (EAP-res/ID) returned by the user equipment 6.

If the EAP-res/ID is not received, perform step D4 again. If EAP-res/ID is received, step D6 is executed, and the control module 21 controls the universal proxy server 2 to send the EAP-res/ID to the AS of the original fog terminal 5a (802.1x).

Then step D7 is executed, and the control module 21 determines whether the universal proxy server 2 has received the EAP-req/MD5 returned by the AS of the original fog terminal 5a (802.1x).

If EAP-req/MD5 is not received, perform step D6 again. If EAP-req/MD5 is received, step D8 is executed, and the universal proxy server 2 sends EAP-req/MD5 to the user equipment 6.

Then step D9 is executed, and the control module 21 determines whether the universal proxy server 2 has received the EAP-res/MD5 returned by the user equipment 6.

If EAP-res/MD5 is not received, step D8 is executed again. If EAP-res/MD5 is received, step D10 is executed, and the control module 21 controls the general proxy server 2 to send EAP-res/MD5 to the AS.

Then step D11 is executed, and the control module 21 determines whether the universal proxy server 2 receives the EAP-success returned by the AS.

If EAP-success is not received, step D12 is executed, and the control module 21 controls the universal proxy server 2 to send an EAP authentication failure message to the user equipment 6, and stops operation. If EAP-success is received, the third original server authentication subroutine D can be completed, that is, the authentication required by the original fog terminal 5a (802.1x) has been completed, and then the authentication required by the foreign server can be performed. For example, the first foreign server authentication subroutine B, EPS-AKA authentication or warrant authentication, etc.

In this way, the details of the third original server authentication subroutine D can be understood.

Next, the details of the second foreign server authentication subroutine E will be explained. 12 is a flowchart of the steps of the second foreign server authentication subroutine E according to an embodiment of the present invention, and please refer to FIGS. 1 to 11 at the same time.

As shown in FIG. 12, first step E1(a) is executed. The control module 21 activates the vMME 24 and the vHSS 27, and redirects (eg reconnects) the user equipment 6 to the MME at the foreign border 4b. Then step E1(b) is executed, and the control module 21 waits for the message sent by the MME.

After step E2 is executed, the control module 21 receives the authentication request message (including the IMSI) sent by the MME, where the authentication request message can be, for example, a service request message converted from the user equipment 6.

After step E3 is executed, the control module 21 instructs the vMME 24 to send an authentication request message to the HSS of the original boundary 5a to confirm whether the IMSI is legal. When the IMSI is legal, the original boundary 5a can generate the authentication vector required for EPS-AKA authentication, and return an authentication response message containing the authentication vector.

Then step E4 is executed, and the control module 21 determines whether the universal proxy server 2 receives the authentication response message returned by the original boundary 5a.

If not received, perform step E3 again. If it is received, step E5 is executed, and the control module 21 instructs the vHSS 27 to send the authentication response message to the MME at the foreign border 5b.

In one embodiment, when the MME at the foreign border 5b receives the authentication response message, it can generate an authentication challenge to the user equipment 6 according to the authentication vector. When the user equipment 6 returns a correct authentication challenge response, the foreign border 5b can provide the service to the user equipment 6.

In this way, the second foreign server authentication subroutine E can be understood.

Next, the details of the fourth original server authentication subroutine F will be explained. FIG. 13 is a flowchart of the steps of the fourth original server authentication subroutine F according to an embodiment of the present invention, and please refer to FIGS. 1 to 12 at the same time.

As shown in FIG. 13, first step F1 is executed. When the user equipment 6 selects the original cloud 3a or the original fog terminal 5a (OIDC) as the login option, the control module 21 activates the vUSER 26 and vHSS 27.

Then step F2 is executed, and the universal proxy server 2 redirects the user equipment 6 to the MME at the foreign border 4b. After that, the user equipment 6 can send a connection request message with IMSI to the MME at the foreign border 4b, and the MME at the foreign border 4b can convert the connection request message into a verification request message with IMSI information, and send the verification request message to Universal proxy server 2.

Then steps F3 and F4 are executed, the universal proxy server 2 receives the authentication request message sent by the MME, and the control module 21 converts the authentication request message into a general website login message that can be read by the original cloud 3a or the original fog terminal 5a (OIDC) (For example, the mechanism of logging in with account and password).

Then step F5 is executed, and the control module 21 instructs the vUSER 26 to send the general website login message to the original cloud 3a or the original fog terminal 5a (OIDC). In one embodiment, the original cloud 3a or the original fog terminal 5a (OIDC) will verify whether the account and password are correct, and if they are correct, an authentication claim containing the authentication vector will be returned, otherwise, the operation will be stopped.

Therefore, step F6 is executed, and the control module 21 determines whether the universal proxy server 2 has received the authentication statement.

If not received, perform step F5 again. If received, steps F7(a)~F7(c) are executed, and the control module 21 stops the operation of vUSER 26, and converts the authentication statement into an authentication request response message containing the authentication vector as a foreign boundary The MME of 4b responds to the authentication request message sent in step F3, and instructs vHSS 27 to send the authentication request response message to the MME of the foreign border 4b. After that, when the MME at the foreign border 4b receives the authentication request response message, the foreign border 4b can perform EPS-AKA authentication on the user equipment 6 according to the authentication vector by itself, and decide whether to provide the user equipment 6 according to the authentication result. service.

Therefore, the details of the fourth original server authentication subroutine F can be understood.

Next, the details of the fifth original server authentication subroutine G will be explained. FIG. 14 is a flowchart of the steps of the fifth original server authentication subroutine G according to an embodiment of the present invention, and please refer to FIGS. 1 to 13 at the same time.

As shown in Figure 14, first step G1 is executed. When the foreign server is the foreign cloud 3b or the foreign fog terminal 5b (OIDC), and the user equipment 6 selects the original cloud 3a as the login option, the control module 21 is activated vRP 25.

Then step G2 is executed, and the control module 21 instructs the vRP 25 to send the authentication request message in the third format to the original cloud 3a. Since the original cloud 3a and the foreign cloud 3b (or the foreign fog terminal 5b) both use OIDC, the original cloud 3a can directly read the third-format authentication request message, and when the original server determines the user in the third-format authentication request message When the information is correct, a certification certificate (token) can be returned.

Then step G3 is executed, and the control module 21 determines whether the universal proxy server 2 has received the authentication ticket sent by the original cloud 3a.

If it is not received, step G2 is executed again. If it is received, step G4 is executed, the control module 21 stops the operation of the vRP 25, and controls the universal proxy server 2 to send the authentication certificate to the foreign cloud 3a or the foreign fog terminal 5a (OIDC). After that, the foreign cloud 3a or the foreign fog terminal 5a (OIDC) can determine whether to provide services to the user equipment 6 according to the authentication certificate.

In this way, the details of the fifth original server authentication subroutine G can be understood.

Next, the details of the sixth original server authentication subroutine H will be explained. 15 is a flowchart of the steps of the sixth original server authentication subroutine H according to an embodiment of the present invention, and please refer to FIGS. 1 to 14 at the same time.

As shown in Figure 15, first step H1 is executed. When the foreign server is the foreign cloud 3b or the foreign fog terminal 5b (OIDC), and the user device 6 selects the original fog terminal 5a (OIDC) as the login option, control Module 21 activates vUSER 26 and vRP 25.

Then step H2 is executed, the control module 21 instructs the vRP 25 to send the authentication request message in the third format to the original fog terminal 5a (OIDC). Since the original fog terminal 5a and the foreign cloud 3b (or foreign fog terminal 5b) both use OIDC, the original fog terminal 5a can directly read the third format authentication request message, and when the original fog terminal 5a determines that the third format authentication request message When the user information of is correct, the IdP of the original fog terminal 5a can return an authenticate user message.

Then step H3 is executed, and the control module 21 determines whether a user authentication execution message is received.

If not received, perform step H2 again. If it is received, step H4 is executed, and the control module 21 instructs vRP 25 and vUSER 26 to execute a user authentication mechanism with the user equipment 6 and the Idp of the original fog terminal 5a. For example, vRP 25 will send the third format The service request message (auth request passing client_id) is sent to the Idp of the original fog terminal 5a, and the user is verified with the assistance of vUSER 26, and then an ID token is provided according to the verification result. Therefore, when the user authentication mechanism is completed (for example, the authentication is successful), the Idp of the original fog terminal 5a will send the authentication certificate to the universal proxy server 2.

Then step H5 is executed, and the control module 21 determines whether the universal proxy server 2 has received the authentication ticket.

If it is not received, the control module 21 notifies the user that the device 2 has failed authentication. If it is received, step H6 is executed, and the control module 21 instructs the vIdP 22 to send the authentication certificate to the foreign cloud 3b or the foreign fog terminal 5b (OIDC). After that, the foreign cloud 3b or the foreign fog terminal 5b (OIDC) can decide whether to provide services to the user equipment 6 according to the authentication certificate.

In this way, the sixth original server authentication subroutine H can be understood.

In addition, the universal proxy server 2 can create a forwarding table according to the logic flow to determine which operating modules 22-28 need to be activated and which mappings need to be activated under various cross-border authentication situations Finish.

The following describes the logic flow and forwarding table.

In one embodiment, the logic flow starts with the connection between the universal proxy server 2 and the forwarding end. Then, the universal proxy server 2 must find out the identities of the original forwarding end and the foreign forwarding end. If the original forwarding end is the fog end forwarding end 9a, the control module 21 must determine whether the communication protocol used by the original fog end 5a is OIDC, and if not, activate vUSER 36 to correspond to the original fog end 5a. If the original forwarding terminal is the cloud forwarding terminal 7a, the control module 21 decides to activate the vUSER 26 or vRP 25 according to the identity of the foreign forwarding terminal to correspond to the original cloud 3a. If the original forwarding end is the border forwarding end 8a, the control module 21 will decide to activate the vMME 24 or vUE 23 according to the identity of the foreign forwarding end to correspond to the original border 4a.

The control module 21 must also determine the identity of the foreign forwarder. If the foreign forwarding terminal is the boundary forwarding terminal 8b, the control module 21 activates the vHSS 27 to correspond to the foreign boundary 4b. If the foreign forwarding terminal is the cloud forwarding terminal 7b, the control module 21 activates the vIdP 22 to correspond to the foreign cloud 3b. If the foreign forwarding terminal is the fog terminal 9b, the control module 21 must determine whether the foreign fog terminal 5b uses OIDC, if so, activate vIdP 22 to correspond to the foreign fog terminal 5b; if not, activate vAS 28.

In addition, the control module 21 also needs to determine the mapping to be executed to convert the message from one communication protocol to another. For example, in the case of edge-to-cloud, the universal proxy server 2 can perform the mapping between 3GPP EPS-AKA and OIDC by converting the "Login with IMSI" message to the "Auth Request (IMSI)" message. To communicate with the boundary side.

FIG. 16 is a schematic diagram of the forwarding table of the universal proxy server 2 according to an embodiment of the present invention. Through the forwarding table, the control module 21 can quickly learn the operation modules 22-28 required to be activated for various cross-border verifications and the mappings required to be executed.

In addition, in one embodiment, the functions of the universal proxy server 2 can be expanded to accommodate newly added communication protocols. When a new communication protocol is added, the logic flow and forwarding table of the universal proxy server 2 can be adjusted accordingly. In this way, the logic flow and the details of the forwarding table can be known.

In addition, in order to assist readers in understanding the contents of the above subroutines (Figures 8-15), the applicant also provides the six commonly used cross-border authentication transmission diagrams for reference, which are shown in Figures 17 to 22 respectively. Figure 17 is a schematic diagram of the transmission of the edge-to-cloud authentication process according to an embodiment of the present invention. Figure 18 is a schematic diagram of the transmission of the edge-to-fog (OIDC) authentication process according to an embodiment of the present invention. A schematic diagram of transmission of an edge-to-fog (802.1x) authentication process in an embodiment. FIG. 20 is a schematic diagram of transmission of a cloud-to-edge authentication process according to an embodiment of the present invention, and FIG. 21 is a diagram of an embodiment of the present invention. A schematic diagram of the transmission of the authentication process of cloud-to-fog (OIDC). FIG. 22 is a schematic diagram of the transmission of the authentication process of cloud-to-fog (802.1x) according to an embodiment of the present invention.

Those skilled in the art can better understand the step flow of FIG. 3 to FIG. 15 by using the above-mentioned transmission schematic diagram.

Next, the entity insertion and search establishment procedures will be explained. The entity insertion and search creation process is used to create a search data form and use the search data form in the authentication process.

FIG. 23 is a flowchart of steps of an entity insertion and search establishment procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 22 at the same time. This process can be applied to various cross-border services.

First, step S401 is executed. When the universal proxy server 2 receives the service request message from the foreign forwarding terminal, the control module 21 finds the corresponding foreign forwarding terminal in the pre-stored data according to the format of the service request message and the type of the foreign forwarding terminal. Server. In one embodiment, step S401 can be executed after the initial stage procedure of FIG. 3, so the control module 21 can store data through step S13(a), step S14(a), S15(b) or S15(d) The relevant information of the foreign forwarding terminal to find the corresponding foreign server.

Then step S402 is executed, the control module 21 provides an identity information to the foreign server (hereinafter referred to as foreign ID), and records the foreign ID in a foreign service data field in a data search form.

After step S403 is executed, the control module 21 generates a foreign connection entity (entry) based on the information required by the foreign server for authentication, and provides identity information to the foreign connection entity (hereinafter referred to as foreign connection ID), and Record the foreign connection ID in a foreign link data field in a search data form. In one embodiment, the foreign connection entity includes the information of the operation module required by the foreign server for authentication, the connection relationship between the operation module and the forwarding terminal, the connection relationship between the operation modules, etc., and is not limited to this.

Then step S404 is executed, the control module 21 provides an identity information to the user equipment 6 (hereinafter referred to as User ID), and records the User ID in a user data field in the data search form.

After that, the control module 21 waits for the user equipment 6 to return the login option (please refer to step S241). When the user equipment 6 returns the login option, that is, when the original server is selected, step S405 is executed. The control module 21 provides identity information to the original server (hereinafter referred to as home ID), and records the home ID in the search data An original service data field in the form.

Then step S406 is executed. The control module 21 generates an original connection entity based on the information required by the original server for authentication, and provides identity information to the original connection entity (hereinafter referred to as home connection ID), and connects the home connection ID to the original connection entity. The ID is recorded in an original link data field in the search data form. In one embodiment, the original connection entity includes the information of the operation module required by the original server for authentication, the connection relationship between the operation module and the forwarding end, the connection relationship between the operation modules, and the user equipment 6 The information provided (such as IMSI), etc., is not limited to this.

After step S407 is executed, the control module 21 records the message conversion mapping method between the original server and the foreign server in a message mapping data field in the data search form. With this, the search data form required for this cross-border service can be created.

Then, the control module 21 can control the appropriate operation module to participate in the authentication required by the original server according to the original service data field, the original link data field, or the message mapping data field in the search data form, and wait for the original service End authentication is completed. When the authentication required by the original server is completed, step S408 is executed, and the control module 21 executes a search subroutine, wherein the search subroutine can be used for the authentication required by the foreign server. In this way, the entity insertion and search establishment procedures can be completed.

Next, the details of the search subroutine will be explained. FIG. 24 is a flowchart of the steps of a search subroutine according to an embodiment of the present invention, and please refer to FIGS. 1 to 23 at the same time.

First, step S408(a) is executed, and the control module 21 obtains the foreign connection ID related to this cross-border service. In one embodiment, the control module 21 can find the corresponding data search form from the original server, and then find the foreign connection ID from the data search form.

Then step S408(b) is executed, the control module 21 finds out the foreign connection entity according to the foreign connection ID, and obtains the data required for the authentication of the foreign server.

Then step S408(c) is executed, and the control module 21 finds out the relevant forgien ID according to the search data form.

Then step S408(d) is executed, and the control module 21 finds out the relevant User ID according to the data search form.

Then step S408(e) is executed, and the control module 21 finds out the relevant message conversion mapping method according to the data search form.

Then, the control module 21 can control the appropriate operation module to perform the authentication required by the foreign server according to the foreign link entity, User ID and foreign, and convert the authentication process message into The format of the communication protocol supported by the foreign server.

Then step S408(f) is executed. When the message conversion is completed, the control module 21 eliminates the message conversion mapping mode in the message mapping data field.

Then the control module 21 waits for the authentication required by the foreign server to be completed. When the authentication is completed, step S408(g) is executed, and the control module 21 destroys the original connected entity and the external connected entity.

With this, the search subroutine can be completed.

In addition, the communication system 1 of the present invention can continuously establish alliance relationships with different communication systems, so that the cross-border services that can be used by a single account continue to increase.

In this way, through the communication system and communication method of the present invention, users only need to have a single account, which can be used in cloud, border and fog terminals. Compared with the prior art, the communication system of the present invention has full convenience. In addition, the communication method of the present invention can have a complete authentication mechanism and full security.

The above-mentioned embodiments are merely examples for the convenience of description, and the scope of rights claimed in the present invention should be subject to the scope of the patent application, rather than being limited to the above-mentioned embodiments.

1: Communication system 2: Universal proxy server 21: Control module 3a: Original cloud 4a: original boundary 5a: Original fog end 3b: foreign cloud 4b: foreign border 5b: Fog end in the field 6: User equipment 7a, 7b: Cloud forwarding terminal (CR) 8a, 8b: border forwarding end (ER) 9a, 9b: Fog end forwarding end (FR) 22: Virtual Identity Provider (vIdP) 23: Virtual User Equipment (vUE) 24: Virtual Mobility Management Element (vMME) 25: Virtual Relay Component (vRP) 26: Virtual user (vUSER) 27: Virtual Home Subscriber Server (vHSS) 28: Virtual Authentication Server (vAS) S11~S15(d), S21~S30, S241~S249, S261~S266, S301~S308, A1~A8, B1~B5, C1~C4, D1~D12, E1(a)~E5, F1~F7, G1~G4, H1~H6, S401~S408, S408(a)~S408(g): steps

FIG. 1 is a system architecture diagram of a communication system according to an embodiment of the present invention. FIG. 2(A) is a schematic diagram of the operation modules corresponding to the original server and the foreign server according to an embodiment of the present invention. Fig. 2(B) is a flow chart of the steps of a communication method according to an embodiment of the present invention. FIG. 3 is a flow chart of the steps of the initial stage program of the communication method according to an embodiment of the present invention. FIG. 4 is a flowchart of the main steps of the operation phase procedure of the communication method according to an embodiment of the present invention. FIG. 5 is a flowchart of the steps of the first user authentication procedure according to an embodiment of the present invention. FIG. 6 is a flowchart of steps of a second user authentication procedure according to an embodiment of the present invention. FIG. 7 is a flowchart of steps of a third user authentication procedure according to an embodiment of the present invention. Fig. 8 is a flowchart of steps of a first original server authentication subroutine according to an embodiment of the present invention. Fig. 9 is a flowchart of steps of a first foreign server authentication subroutine according to an embodiment of the present invention. Fig. 10 is a flowchart of steps of a second original server authentication subroutine according to an embodiment of the present invention. Fig. 11 is a flowchart of steps of a third original server authentication subroutine according to an embodiment of the present invention. Fig. 12 is a flowchart of steps of a second foreign server authentication subroutine according to an embodiment of the present invention. FIG. 13 is a flowchart of the steps of the fourth original server authentication subroutine according to an embodiment of the present invention. FIG. 14 is a flowchart of steps of a fifth original server authentication subroutine according to an embodiment of the present invention. Fig. 15 is a flowchart of steps of a sixth original server authentication subroutine according to an embodiment of the present invention. FIG. 16 is a schematic diagram of a forwarding table of a universal proxy server according to an embodiment of the present invention. FIG. 17 is a schematic diagram of transmission of an edge-to-cloud authentication process according to an embodiment of the present invention. FIG. 18 is a schematic diagram of transmission of an edge-to-fog (OIDC) authentication process according to an embodiment of the present invention. Fig. 19 is a schematic diagram of transmission of an edge-to-fog (802.1x) authentication process according to an embodiment of the present invention. FIG. 20 is a schematic diagram of transmission of a cloud-to-edge authentication process according to an embodiment of the present invention. FIG. 21 is a schematic diagram of transmission of a cloud-to-fog (OIDC) authentication process according to an embodiment of the present invention. Fig. 22 is a schematic diagram of transmission of a cloud-to-fog (802.1x) authentication process according to an embodiment of the present invention. FIG. 23 is a flowchart of steps of an entity insertion and search establishment procedure according to an embodiment of the present invention. Fig. 24 is a flowchart of the steps of a search subroutine according to an embodiment of the present invention.

1: Communication system

2: Universal proxy server

21: Control module

3a: Original cloud

4a: original boundary

5a: Original fog end

3b: foreign cloud

4b: foreign border

5b: Fog end in the field

6: User equipment

7a, 7b: Cloud forwarding terminal (CR)

8a, 8b: border forwarding end (ER)

9a, 9b: Fog end forwarding end (FR)

22: Virtual Identity Provider (vIdP)

23: Virtual User Equipment (vUE)

24: Virtual Mobility Management Element (vMME)

25: Virtual Relay Component (vRP)

26: Virtual user (vUSER)

27: Virtual Home Subscriber Server (vHSS)

28: Virtual Authentication Server (vAS)

Claims (20)

A communication system (1) for performing a third-party authentication between an original server and a foreign server, wherein the types of the original server and the foreign server include cloud, boundary, or fog. The communication system ( 1) Contains: A control module (21) is set in a general proxy server (2), wherein the general proxy server (2) passes through a cloud relay (CR) (7a, 7b) and a cloud (3a) , 3b) for communication, the universal proxy server (2) communicates with an edge (4a, 4b) via an edge relay (ER) (8a, 8b), and the universal proxy server (2) communicates via A fog relay (FR) (9a, 9b) communicates with a fog relay (5a, 5b); and Multiple operation modules (22~28) are set in the general proxy server (2); Wherein, the control module (21) selects at least two of the operation modules (22-28) to perform the third-party authentication according to the types of the original server and the foreign server. The communication system (1) of claim 1, wherein the operation modules (22-28) include a virtual home subscriber server (vHSS) (27), when the foreign server is At a foreign border (4b), the control module (21) activates the virtual home subscriber server (vHSS) (27) to communicate with the foreign server. The communication system (1) of claim 2, wherein the operation modules (22-28) further include a virtual mobility management entity (vMME) (24), and when the original server is At an original boundary (4a), the control module (21) activates the virtual mobility management element (vMME) (24), and communicates with the original server through the virtual mobility management element (vMME) (24). The communication system (1) of claim 1, wherein the operation modules (22-28) include a virtual open ID provider (vIdP) (22), and when the foreign server is a When a foreign cloud (3b) or a foreign fog terminal (5b), and the foreign server (3b, 5b) uses an open identity connection (openID connect, OIDC), the control module (21) activates the The virtual identity provider (vIdP) (22) communicates with the foreign server through the virtual identity provider (vIdP) (22). The communication system (1) according to claim 4, wherein the operation modules (22-28) further include a virtual relying party (vRP) (25), when the original server is an original When the cloud (3a) or an original fog terminal (5a), and the communication protocol used by the original server (3a, 5a) is Open Identity Connection (OIDC), the control module (21) activates the virtual relay component (vRP) (25), and communicate with the original server through the virtual relay component (vRP) (25). The communication system (1) according to claim 1, wherein the operation modules (22-28) include a virtual user (vUSER) (26), when the original server is an original fog end ( 5a) or an original cloud (3a), the control module (21) activates the virtual user (vUSER) (26), and through the virtual user (vUSER) (26) and the original server (3a) , 5a) To communicate. The communication system (1) according to claim 1, wherein the operation modules (22-28) include a virtual user equipment (vUE) (23), when the original server is a boundary (4a) ), when the foreign server is a foreign cloud (3b) or a foreign fog terminal (5b), the control module (21) activates the virtual user equipment (vUE) (23), and uses the virtual user The device (vUE) (23) communicates with the original server. The communication system (1) according to claim 1, wherein the operation modules (22-28) include a virtual authentication server (vAS) (28), and when the foreign server is a foreign server When the fog terminal (5b) uses the communication protocol 802.1x, the control module (21) activates the virtual authentication server (vAS) (28) to communicate with the foreign server. The communication system (1) according to claim 1, wherein the control module (21) executes an initial stage procedure and an operation stage procedure, wherein in the initial stage procedure, the control module (21) establishes the The cloud forwarding terminal (CR) (7b), the border forwarding terminal (ER) (8b) or the fog terminal forwarding terminal (FR) (9b) corresponding to the foreign server terminal and one of the operation modules (22-28) In the operation phase procedure, the control module (21) according to the cloud forwarding terminal (CR) (7b), the border forwarding terminal (ER) (8b) or the fog terminal forwarding terminal (FR) )(9b) The type of a request message sent determines the type of the foreign server, and the type of the original server is determined according to a selection message sent by a user equipment, and then the appropriate operation modules are selected (22~ 28). The communication system (1) according to claim 9, wherein the control module (21) further executes a look-up table creation procedure to record the information of the original server and the foreign server in a look-up data form. A communication method executed through a communication system (1) to perform a third-party authentication between an original server and a foreign server, wherein the types of the original server and the foreign server include cloud (3a, 3b) , Boundary (4a, 4b) or fog end (5a, 5b), and the communication system (1) includes a control module (21) and a plurality of operation modules (22-28), the communication method includes the steps: Using the control module (21), according to the types of the original server and the foreign server, select at least two of the operation modules (22-28) to perform the third-party authentication; The control module (21) and the operation modules (22-28) are set in a general proxy server (2), and the general proxy server (2) passes through a cloud relay (CR) ) (7a, 7b) communicate with a cloud (3a, 3b), the universal proxy server (2) communicates with an edge (4a, 4b) via an edge relay (ER) (8a, 8b) For communication, the universal proxy server (2) communicates with a fog relay (5a, 5b) via a fog relay (FR) (9a, 9b). The communication method according to claim 11, which further includes the step: when the foreign server is a foreign boundary (4b), the control module (21) activates one of the operation modules (22-28) A virtual home subscriber server (27) in the computer, and the virtual home subscriber server (27) communicates with the foreign server through the virtual home subscriber server (27). The communication method according to claim 12, which further includes the step: when the original server is an original boundary (4a), the control module (21) activates one of the operation modules (22-28) A virtual mobility management element (vMME) (24) in the middle, and through the virtual mobility management element (vMME) (24) to communicate with the original server. The communication method according to claim 11, which further includes the step: when the foreign server is a foreign cloud (3b) or a foreign fog terminal (5b), and the foreign server (3b, 5b) uses the communication protocol When it is an open identity connection (OIDC), the control module (21) activates a virtual identity provider (vIdP) (22) among the operation modules (22-28), and uses the virtual identity provider (vIdP) (22) The identity provider communicates with the foreign server. The communication method according to claim 14, which further includes the step: when the original server is an original cloud (3a) or an original fog end (5a), and the communication protocol used by the original server (3a, 5a) When it is an open identity connection (OIDC), the control module (21) activates a virtual relay component (vRP) (25) among the operation modules (22-28), and uses the virtual relay component (vRP) (25) The relay component communicates with the original server (3a, 5a). The communication method according to claim 11, which further includes the step: when the original server is an original fog end (5a) or an original cloud (3a), the control module (21) starts the operations A virtual user (vUSER) (26) in the modules (22-28) communicates with the original server (3a, 5a) through the virtual user. The communication method according to claim 11, wherein when the original server is a boundary (4a) and the foreign server is a foreign cloud (3b) or a foreign fog terminal (5b), the control module ( 21) Activate a virtual user equipment (vUE) (23) among the operation modules (22-28), and communicate with the original server (4a) through the virtual user equipment. The communication method according to claim 11, wherein when the foreign server is a foreign fog terminal (5b) and uses the communication protocol 802.1x, the control module (21) activates the operation modules (22) ~28) is a virtual authentication server (vAS) (28), and communicates with the foreign server (5a, 5b) through the virtual authentication server. The communication method according to claim 11, further comprising the steps of: executing an initial stage procedure and an operation stage procedure by the control module (21), wherein in the initial stage procedure, the control module (21) ) Create the cloud forwarding terminal (CR) (7b), the border forwarding terminal (ER) (8b) or the fog terminal forwarding terminal (FR) (9b) corresponding to the foreign server and one of the operation modules (22~ 28) communication link, and in the operation phase procedure, the control module (21) forwards according to the cloud forwarding terminal (CR) (7b), the boundary forwarding terminal (ER) (8b) or the fog terminal The type of a request message sent by the FR (9b) determines the type of the foreign server, and determines the type of the original server according to a selection message sent by a user equipment, and then selects the appropriate operation modules (22~28). The communication method according to claim 19, which further includes the step of executing a look-up table creation procedure by the control module (21) to record the information of the original server and the foreign server in a look-up data form .

Images